Review AD FS terminology
Applies To: Azure, Office 365, Power BI, Windows Intune
Before you begin using this content to deploy AD FS for single sign-on to the cloud service, we recommend that you first read about AD FS terms that are used throughout this article.
AD FS term | Definition |
---|---|
AD FS configuration database |
A database used to store all configuration data that represents a single AD FS instance or Federation Service. This configuration data can be stored using the Windows Internal Database (WID) feature included with Windows Server 2008, Windows Server 2008 R2, and Windows Server 2012 or using a Microsoft SQL Server database. |
Claim |
A statement that one subject makes about itself or another subject. For example, the statement can be about a name, email, group, privilege, or capability. Claims have a provider that issues them (in this case a Microsoft cloud service customer) and they are given one or more values. They are also defined by a claim value type and, possibly, associated metadata. |
Federation Service |
A logical instance of AD FS. A Federation Service can be deployed as a standalone federation server or as a load-balanced federation server farm. The name of the Federation Service defaults to the subject name of the SSL certificate. The DNS name of the Federation Service must be used in the Subject name of the Secure Sockets Layer (SSL) certificate. |
Federation server |
A computer running Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 that has been configured to act in the federation server role for AD FS. A federation server serves as part of a Federation Service that can issue, manage, and validate requests for security tokens and identity management. Security tokens consist of a collection of claims, such as a user's name or role. |
Federation server farm |
Two or more federation servers in the same network that are configured to act as one Federation Service instance. |
Federation server proxy |
A computer running Windows Server 2008, Windows Server 2008 R2, or Windows Server 2012 that has been configured to act as an intermediary proxy service between a client on the Internet and a Federation Service that is located behind a firewall on a corporate network. In order to allow remote access to the cloud service, such as from a smart phone, home computer, or Internet kiosk, you need to deploy a federation server proxy. |
Web Application Proxy |
In Active Directory Federation Services in Windows Server 2012 R2, the role of a federation server proxy is handled by a new Remote Access role service called Web Application Proxy. To enable your AD FS for accessibility from outside of the corporate network (in other words, to configure extranet access), which is the purpose of deploying a federation server proxy in legacy versions of AD FS (AD FS 2.0 and AD FS in Windows Server 2012), you can deploy one or more Web Application Proxies for AD FS in Windows Server 2012 R2. For more information about the Web Application Proxy, see Web Application Proxy Overview. |
Relying party |
A Federation Service or application that consumes claims in a particular transaction. |
Relying party trust |
In the AD FS Management snap-in, a relying party trust is a trust object that is created to maintain the relationship with another Federation Service, application, or service (in this case the Microsoft Azure Active Directory (Microsoft Azure AD) service) that consumes claims from your organization’s Federation Service. |
Network load balancer |
A dedicated application (such as Network Load Balancing) or hardware device (such as a multilayer switch) used to provide fault tolerance, high availability, and load balancing across multiple nodes. For AD FS, the cluster DNS name that you create using this NLB must match the Federation Service name that you specified when you deployed your first federation server in your farm. |
Next step
Now that you have reviewed AD FS terminology, the next step is to Plan your AD FS deployment.